This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.

Tuesday, August 08, 2017

How Refreshing To Encounter Such An Honest Man Who Knows Access To The myHR Can Never Be Really Secure.

As opt-out change looms.

It’s no secret that your local doctor’s office is unlikely to have the best protections when it comes to securing your personal health records.

In this small business environment, technology often gets pushed to the bottom of the priority list when contending with life or death matters.

It means medical practices often fall victim to ransomware attacks that exploit vulnerabilities in old software - like the recent WannaCry epidemic - and hold patient and practice data to ransom.

Health services was the second most frequently breached industry in 2016, according to Symantec. Medical records also fetch a pretty penny on the black market, at somewhere around US$10 per record on average.

But with the shift to an online health record for every Australian looming - and in light of the recent access control issues raised in the discovery of black market sales of Medicare details - strengthening these weak links in the chain becomes all the more pertinent.

It means the Australian Digital Health Agency (ADHA) will be in charge of securing around 22 million e-health records within a big ecosystem of healthcare providers.

“We’ve worked on the basis that one record is worth US$1 and we’ve got 22 million of them - is that enough for somebody to get out of bed and try to steal our data? I think it is,” ADHA chief information security officer Anthony Kitzelmann told the Technology in Government conference.

This is why the ADHA will spend $15.8 million this year alone shoring up the security of the My Health Record system.

But one of ADHA's biggest challenges is working out what an applicable standard for digital health in Australia looks like in lieu of any prescriptive documentation.

“Is the ISM an appropriate standard? Is the ISO standard applicable? HIPAA regulations out of the US? Which one works, which is fit for purpose?” Kitzelmann said.

An internal review conducted in the lead-up to the policy switch to opt-out e-health records found that there were elements of all these standards that could apply to Australia’s e-health ecosystem.

More importantly what came out of the review process was that ADHA needed to change its focus and move to a risk-based governance model.

“If we have a large jurisdiction that has 130,000 employees and a massive investment in their health strategy, we’d expect them to sit [high up] in terms of their security performance,” Kitzelmann said.

“But how do we measure when it’s a general practice run by a husband and wife, the husband is the GP and the wife is the receptionist, IT support and nurse at lunchtime? What do we expect them to do to protect citizen records in an appropriate way? And how do we help them get that balance?

“Because we know quite well they’re going to be sitting on a Windows XP machine that has vulnerabilities up the kazoo, and that it’s going to be a point of egress into the national system that we need to mitigate and manage.

"[However] we also need to understand that it’s irresponsible of us to say ‘you need to be on Windows 10, patched within 24 hours, and running this AV software’ - it’s just not going to happen.”

ADHA’s solution to this problem has been to amalgamate elements of all the relevant standards into a risk-based governance model that helps GPs have “good clinical hygiene with their cyber security practices”.

It is currently working with the Royal Australian College of General Practitioners to develop a single standard that provides “practical, commonsense guidelines” outlining what clinics can do to be more secure.

However, Kitzelmann said ADHA recognised that while GPs would “try their best”, they would “never be truly secure”.

As Anthony says you can never have all those GP practices, pharmacies and so on be secure. Given these are all likely access points to the myHR it is hard to see just how the central data base can itself be secure.

My view is that the cat has been belled and that if you want to be sure your private information to stay private you will manage carefully what personal information makes it to the myHR. If you are not sure you are on top of all the access controls etc. it would be prudent to simply opt-out.

David.

Postscript:

The views expressed are not isolated. See here:

Australia's inside-out digital health strategy

If patients are to be 'put at the centre of their healthcare', they need to be put at the centre of their health data.

Here ares the relevant paragraphs.
"If patients are to be "put at the centre of their healthcare", and
their biggest worry is that their confidential health data might be
breached, then surely this whole strategy is inside out.

Surely
you don't mitigate the data breach risks by pouring all that data into a
massive, complex system that can be accessed by tens of thousands of
people.

If patients are meant to be at the centre of their
healthcare, then maybe they should be carrying the data. After all,
medical practitioners only need that data if the patient is right there
in front of them.

Give every Australian resident a USB stick to
carry around their neck on a string, like soldiers wear dog tags
recording their blood type. Or maybe a wristband with some Bluetooth
cleverness.

And of course the last para. is a ripper.

"With the Australian government's well-known track record with this sort
of big IT project, we can obviously rest assured that everything will
run smoothly as expected."

18 comments:

Anonymous
said...

Znet article is a worthy contribution, I am not sure about the USB stick around the neck bit. A better option is the smart phone, these are widespread, you can with many track their location, remotely wipe the data with ease, and I observe most people notice they left their phone somewhere quicker than their wallet. Makes like iphone have an emergency feature that you can store important health information such as medication, alegies and can be accessed if the phone is locked. Those that don't have this I am sure can include an app and innovators are very active in the smart phone market. Yes some may not be in a position to take advantage for one reason or another, but I would wager that would be a blocker to a central database in canberra as well.

But as highlighted this is more about other drivers than perhaps the patient. Citizen can then chose if the want to share information for research, access their GP clinical systems and should be able to switch app and service providers at ease.

ADHA may only see a monetary value but is that the true cost of identity theft on such a grand scale?

The "How ADHA is trying to secure GP clinics" article is interesting as it raises a number of questions.

Why were these issues of endpoint security not identified and addressed before the system was put into operation over five years ago?

Will the risks and failings be addressed before the system is put into full opt-out mode?

Will the similar (and probably even higher) risks associated with pharmacists be addressed?

Is it possible that the design of the system means that the risks and failings cannot be adequately addressed?

These are all questions that really ought to be raised and resolved in any half decent strategy. Were they? Apart from the mention of the Digital Health Cyber Security Centre, these risks and failings don't even get a mention.

IMHO, resolving these issues should be specifically included in the critical success factors not the vague and woolly statement "Consumer and healthcare provider trust in digital health is critical to the successful delivery of the National Digital Health Strategy." which cannot be measured or even be used as drivers for specific initiatives.

My experience of developing strategies is that the outcome is a document that provides context, discusses a range of options, and includes a justified, coherent and consistent set of decisions that translate into actions. The ADHA strategy contains no options, it just says - we are going to to this. It's just the sort of motherhood that created the MyHR that nobody used. Forcing everyone to be registered for one is unlikely to mean that it gets used.

The fact that the major outcome is a plan to "co-design a Framework for Action" means they haven't the foggiest idea what to do. So much for leadership.

The statement that "We’ve worked on the basis that one record is worth US$1 and we’ve got 22 million of them ..." when they sell for more that than on the black market means they don't value them as highly as 1) criminals and 2) probably their owners, certainly not this one. Is that what they base their risk assessment on?

As for the strategy itself, the very first sentence indicated to me, as a consumer of healthcare, that this was not going to be a good read. "Digital information is the bedrock of high quality healthcare."

I cannot fathom how they believe that the bedrock - that is, the fundamental principles on which something is based - of high quality healthcare is electronic records when in reality to most people it is the level of professional service you receive from someone in the healthcare professions.

Increasingly now I find myself having to pay for longer GP consultations because I spend time waiting while the GP has to type more info into their systems before I can get whatever paperwork I need for a script or whatever, because they have to justify everything so much. So I'd love to know how the online filling of scripts will work, change in legislation regardless.

Having attended HIC this week in Brisbane which overall was a great event, I did come away wonder that this strategy is the same old same old, just painted over with a few new buzz words and phrases. I wonder if those in charge truely understand the problems. Tim is a good speaker but as polished as it is it seems all rather shallow. It is what is not said that is a grave concern and the shift from tools to support healthcare workers it seems all focused on some persecution that the general public will use the MyHR as some sort of streaming data source where graphs and such like run as a banner on my smart TV. In reality much non clinical friends find it interesting but don't get excited by it, as one pointed out, she can't see how doctors or anyone else would stop asking you the usual questions and worry it will become a barrier between patient and provider and drive up costs.

Apart from the MyHR the topics look reasonable. I just hope that someone asks Tim what his strategy is for keeping the data in a person's MyHR accurate and up-to-date and what the risks to patient safety are if it's not?

On Monday, 16 October, the Medical Republic is launching a new series of summits called Wild Health in an attempt to address some of our most pressing and complex healthcare problems. We’ve lined-up key thought-leaders and a few protagonists, but we need you to come and ask them the hard questions. The ones they don’t get enough of because they, unlike you, aren’t spending most their time at the coalface – where the issues are most apparent, and probably some solutions are as well.

* The rise of Artificial Intelligence and the medical cloud, and how it will affect us all

* The emergence of the connected patient – and how this could impact your role

The Wild Health Summit is possibly unique in that you won’t be listening to people talking at you too much. You will mostly be asking a panel of expert questions – ala Q&A. Or at the very least hearing expert moderators ask the questions that need to be asked and addressed.

On the panels awaiting the tough questions will be thought and industry leaders including

Agree there were some master classes in invention, arrangement, style, memory, and delivery. But some great stuff too. Hopefully ADHA can understand health informatics is a complex and highly skilled discipline and not continue to mistake it for for CDA modelling.

Unfortunately, the PCEHR was built on a flawed understanding of health informatics. Changing something that's already in production is a bit like changing the definition of marriage. This government will need to be dragged screaming into the twentieth century while the rest of the world is galloping headlong into the twenty-first.

Bernard 9:33 AM the stand out line for me is “Interoperability road blocks and how we can go much faster”.

Whilst acknowledging the interoperability problem is far from solved, there seems to be a constancy and all embracing belief that we must see “how we can go faster”!

This mentality I submit is perhaps the root cause of so many major problems we see manifested in a lot of healthIT today.

Don't worry about the problems just let’s see if we can go faster.

With our engineering, clinical and ICT backgrounds we both know that before one can provide ADEQUATE answers to the really HARD questions one first needs to UNDERSTAND the problem.

With MyHR, ADHA, NEHTA, PCEHR, RTPM, ERRCD, it looks very much as though that has not yet really happened, despite all the rhetoric and chatter over many years, essentially because the prevailing desires to deliver on hugely ambitious aspirational thinking drives widespread deep seated needs to go faster and faster; undermining everything else.

You must have missed it but the infrastructure is all there, in place and complete.

How do I know? Well Steve Hambleton told us all in 2015 in an interview with Edwin Kruys:

"NEHTA can now complete its task of setting up the infrastructure and I guess the Australian Commission for E-Health, if it goes forward as proposed, can take it to the next step of more meaningful and better use of e-health.”

Maybe he hasn't told Tim Kelsey and all the others at ADHA. I doubt that they have read that article because it raises al sorts of issues and problems with the system, problems and issues that don't seem to have been covered off in the recent Clayton's Strategy.

And for any recent arrivals to Australia, a Clayton's strategy is the strategy you have when you don't have a strategy.

For anyone interested in how much progress has been made in the past two years - have a good hard read.

It gets better - The Australian Digital Health Agency (ADHA) intends to publish a draft plan for interoperability standards for healthcare providers by the end of this financial year, which CEO Tim Kelsey described as a 'licence to operate' that organisations in both the public and private sectors will need to adopt.

Looking forward to the Strategic Framework for Inability in a few weeks time.

Intends, draft - the language of failure

License to operate? So does that mean if you don't fall in line you get removed from the market, what does this license mean? How much will it cost? How will it be enforced?

Will this lock some standards out? If so will that impact international vendors, is the allow multiple standards that serve a similar purpose how will the co-exist?

'Near half-billion-dollar South Australian hospital records system failing: AMA

The AMA has said a new electronic records system being rolled out in South Australian hospitals is not fit for purpose.By Chris Duckett | August 9, 2017ZDNet

A new electronic records system being rolled out across South Australia's public hospitals is possibly not fit for purpose, according to the Australian Medical Association (AMA).

The AMA said it sent a questionnaire to almost 250 staff members, including doctors and nurses, asking for their views on the AU$422 million enterprise patient administration system (EPAS).

It says almost 40 percent reported that their opinion of EPAS was poor, 30 percent believed patients are not clinically safer, and 20 percent found it responsible for adverse patient outcomes.

"The AMA has consistently supported the concept of electronic medical records," president William Tam said on Wednesday.

"Yet our members are telling us that EPAS has failed to meet their hopes and expectations and is contributing to errors.

"You might expect some teething problems, but quite honestly, after four years we would expect most problems to be fixed."'

The ADHA strategy says this:

'The interoperability of clinical data is essential to high-quality, sustainable healthcare – this means that patient data is collected in standard ways and that it can be shared in real time with them and their providers.

By the end of 2018, a public consultation on draft interoperability standards will confirm an agreed vision and roadmap for implementation of interoperability between all public and private health and care services in Australia. Base-level requirements for using digital technology when providing care in Australia will be agreed, with improvements in data quality and interoperability delivered through adoption of clinical terminologies, unique identifiers and data standards. By 2022, the first regions in Australia will showcase comprehensive interoperability across health service provision.'

Is source data quality a critical success factor in the strategy? No. Is that because of a single minded focus on technology not medical information? Quite probably. Will interoperability and standards improve data quality? No.

And then there is this from the political angle:

'However, Health Minister Jack Snelling said the government believes those who responded to the AMA survey were not representative of the wider medical workforce.

Snelling told state parliament that the AMA is a "serial whinger".'

That seems to me to be indicative of the political approach to digital health - if the evidence disagrees with the ideology - ignore or dispute the evidence.